1. Technical Field
The present application relates generally to a system and method for initializing an SNMP (simple network management protocol) agent and, in particular, a system and method for generating authentication and privacy keys for a first user of a SNMPv3 network-managed device and securely entering the keys into the device to initialize the device into SNMPv3 mode.
2. Description of Related Art
In general, the SNMP is a standard application-layer protocol that is employed in a network to facilitate the exchange of management information between networked devices. The SNMPv3 framework defines standard security and access control protocols known, respectively, as the User-Based Security Model (USM) and View-Based Access Control Model (VACM). The SMMPv3 standard is an extensible “bare-bones” protocol that allows vendors to incorporate proprietary MIB (management information base) elements and applications to execute on top of the standard SNMP framework.
An SNMP network generally comprises a plurality of distributed SNMP entities each comprising one or more SNMP agents and one or more SNMP managers (although an entity may comprise both an agent and manager) that communicate using SNMP messages. An SNMP manager (or NMS (network management station)) is responsible for managing one or more SNMP agents within the domain of the SNMP manager. An SNMP agent is included on each node (or host) of the network (e.g., computer, server, etc) that is managed by an SNMP manager. Each agent is responsible for collecting and maintaining information about its environment and providing such information to a respective SNMP manager and responding to manager commands to alter the local configuration or operating parameters of the managed node. Each SNMP agent maintains a local MIB (management information base, which is a virtual information store that comprises management information, i.e., current and historical information about the local configuration and traffic of the managed device (node). More specifically, the SNMP agent MIB comprises a collection of managed objects within the device to be managed, wherein collections of related objects are defined in MIB modules.
In an SNMPv3 mode, an SNMP agent implements the standard USM (user-based security model), wherein the configuration parameters for the USM are managed via MIB elements defined by the SNMP-USER-BASED-SM-MIB module (which is described in detail, for example, in RFC 2574, “User-Based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)”, by Blumenthal et al, April 1999). As is known in the art, for USM, all valid users associated with an SNMPv3 agent utilize a unique secret authentication key and unique privacy key (and standard protocols) for authentication incoming/outgoing messages and encrypting/decrypting the payload of outgoing/incoming messages. Furthermore, in an SNMPv3 mode, the SNMP agent utilizes the View-based Access Control Model (VACM) is utilized by the agent (in response to a call by an SNMP application) to determine whether a specific type of access (read, write) is authorized for a SNMP manager requesting to retrieve or modify local MIB managed data, or whether the manager is authorized to receive notifications (traps) from the agent. The configuration parameters for the VACM are managed via MIB elements defined by the SNMP-VIEW-BASED-ACM-MIB as described in detail, for example, in RFC 2575, “View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)”, by Wijnen, et al, April, 1999).
Various applications and network architectures implement the SNMP framework. For instance, the SNMP protocol has been selected as the communications protocol for management of DOCSIS (Data Over Cable Service Interface Specifications)-based cable modem systems. The DOCSIS cable modems are configured with SNMP agents, which allows a manager (operator of the DOCSIS cable modem system) to remotely manage and configure the cable modems of the end users. The current DOCSIS cable modem system framework, however, does not provide a standard protocol for entering the initial authentication and privacy keys into a cable modem to initialize the cable modem in SNMP v3 mode and vendors must provide proprietary protocols for performing this initialization.
The SNMPv3 framework recommends that the usmUserTable be populated out of band, e.g., not using SNMP (i.e., the first user must be created and its authorization and privacy keys entered in the managed device without using SNMP). SNMP can not be used for this initialization because it provides privacy only by using the privacy key of an already existing user. If the number of agents to be initialized is small, an initialization process can be performed via a console port and manually. If the number of agents is large, such as in cable modem systems, the manual approach is burdensome and does not scale well. Accordingly, a system and method that would provide a secure method for entering the privacy and authentication keys into a cable modem in a DOCSIS system to initialize the modem in SNMPv3 mode is highly desirable.